b'SEP 22 2000\n\n\nMEMORANDUM FOR:                  KATHARINE G. ABRAHAM\n                                 Commissioner, Bureau of\n                                   Labor Statistics\n\n                                      /S/\nFROM:                            JOHN J. GETEK\n                                 Assistant Inspector General\n                                   for Audit\n\nSUBJECT:                         BLS Data Security Followup Audit\n                                 Final Letter Report No. 03-00-012-11-001\n\n\nThis final letter report provides the results of our followup audit to the Office of Inspector General\n(OIG) report entitled BLS Information Technology, Survey Processing, and Administrative\nControls Must be Improved, Audit Report Number 09-99-007-11-001, issued July 20, 1999.\n\nThe letter report contains details on the audit results of the four recommendations that were open during\nour fieldwork and a finding and recommendation on a weakness in UNIX server passwords that was\nunrelated to the previous report recommendations. As a result of your response to the draft letter\nreport, two of the four previous report recommendations were closed and the recommendation\nconcerning the weakness in the UNIX server passwords was resolved.\n\nPlease keep us informed of your actions to close the three remaining recommendations.\n\nWe thank Stuart Rust and his staff for their courtesy and cooperation extended to the auditors during\nthe fieldwork.\n\nIf you have any questions concerning this report, please contact Roger B. Langsdale, Regional\nInspector General for Audit, in Philadelphia at (215) 656-2300.\n\x0cBLS Data Security Followup Audit\n\n\nBackground, Objectives, and Scope\n\nOn July 20, 1999, OIG issued an audit report to the Bureau of Labor Statistics (BLS) entitled BLS\nInformation Technology, Survey Processing, and Administrative Controls Must be Improved.\nThe audit was initiated as a result of a BLS prerelease of employment data in November 1998. The\npurpose of the audit was to determine whether adequate and effective internal controls were in place to\nprevent the premature or unauthorized disclosure or use of sensitive economic data. The audit scope\nwas limited to five mission-critical systems involved in producing and disseminating reports that could\nhave the most impact on financial markets if released before schedule: Current Employment Statistics\nSurvey, Current Population Survey, Consumer Price Index, Employment Cost Index, and Producer\nPrice Index. BLS Regional Offices were not included in the audit. The audit report contained 41\nrecommendations.\n\nWe performed a followup audit to determine if BLS implemented the recommendations in the July 20,\n1999, audit report. The followup audit covered BLS National Office operations as they existed at the\ntime of our field work, June 5 through August 21, 2000, and considered any planned future changes.\nTo accomplish our audit, we reviewed written policies and procedures and identified controls related to\nthe findings from the prior audit report. We also made observations and performed tests to determine if\nBLS policies, procedures, and internal controls were in place, effective, and adhered to. In addition,\nwe performed access control tests to determine if password strength was adequate.\n\nThe audit was performed in accordance with Government Auditing Standards issued by the\nComptroller General of the United States.\n\nAudit Results\n\nThe results of our fieldwork found that BLS had sufficiently implemented 37 of the 41\nrecommendations. On August 25, 2000, we sent the BLS Commissioner a draft letter report for her\ncomments. The Commissioner\xe2\x80\x99s response, attached in its entirety, resulted in closing two more\nrecommendations. BLS should be commended for the resources and effort put forth to implement the\nrecommendations.\n\nAlso, during the audit we found a weakness in a user password on a UNIX server. The corrective\naction needed to improve UNIX user passwords did not apply to any recommendations in the previous\nreport. Therefore, the draft letter report contained an additional finding and recommendation. The\nrecommendation was resolved as a result of the Commissioner\xe2\x80\x99s response.\n\nDetails of the audit results follow.\n\nRecommendation No. 1.2.1: Ensure procedures are developed to periodically review and test\n\nU.S. Department of Labor - Office of Inspector General Page 2\n\x0cBLS Data Security Followup Audit\n\n\naccess controls at SunGard Computer Services to ensure BLS data is secure.\n\nThis recommendation was open because BLS had not fully implemented its procedures to test file and\ntape access controls at SunGard Computer Services (SunGard). We also found that access control\ndeficiencies still existed at SunGard.\n\nBLS developed test procedures to verify that BLS information stored on tapes at SunGard is secure.\nThe test procedures entail setting up an \xe2\x80\x9coutside account\xe2\x80\x9d (an account not related to BLS) with\nSunGard, and using the account to process tape cartridge access programs against BLS tape cartridges\nto determine if they can be accessed. The procedures require that the tests be performed twice a year.\nWe concluded that the planned procedures would be effective once implemented. However, at the\ntime of our field work, the test procedures had not been implemented because SunGard has been\nreluctant to provide the needed outside account.\n\nWe tested SunGard access controls and found deficiencies still exist. An OIG computer specialist was\nable to access, read, and copy data from a BLS tape. To determine if the problem could impact other\nDOL agencies, we arranged for a BLS computer specialist to attempt to access and read an OIG tape.\nThe attempt was successful. We consider these penetrations to be a serious breach of security that\nmay place all DOL tapes in jeopardy of unauthorized access. Although both computer specialists\nneeded a tape number to perform the tests, an unauthorized user could easily obtain this information\nfrom printouts that are routinely thrown into recycling or trash containers.\n\nBLS has discussed this matter with SunGard officials, and we informed the DOL Chief Information\nOfficer about the access control problems at SunGard. Since this incident, BLS has made an\nagreement with the DOL Office of Chief Financial Officer (OCFO) to establish SunGard accounts for\nsecurity testing.\n\nAction Needed to Close the Recommendation\n\nBLS must finalize its agreement with the OCFO and establish the outside account for security testing at\nSunGard.\n\nBLS Response\n\nBLS finalized its agreement with the OCFO to exchange SunGard user accounts.\n\nOIG Conclusion\n\nThis recommendation is closed.\n\n\nU.S. Department of Labor - Office of Inspector General Page 3\n\x0cBLS Data Security Followup Audit\n\n\nRecommendation No. 1.4.4: Develop and implement Information Technology (IT) security\nprocedures to require that all servers and backup media be located in a secure location with\nlimited access.\n\nThis recommendation remains open because BLS has not decided which options presented in the\n\xe2\x80\x9cServer Consolidation Options Report\xe2\x80\x9d will be the most cost effective approach for ensuring that all\nservers and backup media are located in a secure location with limited access.\n\nThe BLS Office of Technology and Survey Processing (OTSP) chartered a team to review the physical\nlocation and logical administration of all servers within BLS. In May 2000, the OTSP team issued the\n\xe2\x80\x9cServer Consolidation Options Report,\xe2\x80\x9d which presented four options for consolidating servers.\nHowever, BLS officials told us they are doing further research on some options before making a final\ndecision. They expect this to occur in the next 2 to 3 months.\n\nWe reviewed the physical security of servers in the five survey offices cited in the audit. We found that\nthe same condition reported in the audit continues to exist except that servers used to store embargoed\ndata have been secured.\n\nCorrective Action Needed to Close the Recommendation\n\nBLS must provide a plan that will ensure that all servers and backup media are located in a secure\nlocation with limited access.\n\nBLS Response\n\nBLS will inform us when they determine their course of action regarding server location and\nadministration.\n\nOIG Conclusion\n\nThis recommendation remains open.\n\n\n\n\nU.S. Department of Labor - Office of Inspector GeneralPage 4\n\x0cBLS Data Security Followup Audit\n\n\nRecommendation No. 1.4.7: Identify and review all existing data lines to ensure that they are\nneeded.\n\nThis recommendation was open because we found that two modems allowing dial-in access were not\nsecure. Although BLS does review its data lines to ensure they are needed, this procedure did not\nidentify modems that are not properly configured or protected.\n\nAs part of our audit, we conducted a phone sweep to detect modems within the BLS National Office.\nWe identified two modems connected to BLS computers that were configured to receive incoming\ncalls. We were told that one modem is used to connect to SunGard. In this case, the modem should\nbe configured to perform outgoing calls only. The other modem has a valid reason for allowing dial-in\naccess. However, a subsequent access test we performed revealed that access through this modem\ndid not require a username and password.\n\nModems that are not properly configured and protected are security risks because they provide\nadditional points of entry into the BLS network and bypass central protective devices such as a firewall.\n\nAction Needed to Close the Recommendation\n\nBLS must perform regular tests to ensure that modems not requiring dial-in access are configured for\noutgoing calls only. Computers that require dial-in access should be protected by a username and\npassword, and should display the BLS security warning banner during log-on.\n\nBLS Response\n\nBLS changed the modem line to SunGard to permit dial-out calls only. The other modem identified in\nthe report now prompts for an appropriate user name and password. BLS also responded that phone\nsweeps will be performed quarterly to detect unauthorized modems. Additionally, every BLS\ncomputer providing dial-in access will be protected by a username and password and, where possible,\nthe BLS security warning banner will be displayed during the log-on process.\n\nOIG Conclusion\n\nThis recommendation is closed.\n\n\n\n\nU.S. Department of Labor - Office of Inspector General Page 5\n\x0cBLS Data Security Followup Audit\n\n\nRecommendation No. 1.4.8: Ensure managers review computer accounts regularly and verify\nthat each account should be kept active. Delete all inactive accounts and accounts of\nseparated employees and contractors.\n\nThis recommendation remains open. Although we found no exceptions in our review of NT servers,\nwe did find that separated BLS employees still had active user accounts on UNIX servers. Because\nUNIX servers are not centralized, the process for reviewing and verifying user accounts is more difficult\nthan for NT servers.\n\nBLS implemented a review process which covers the deletion of user accounts for separated BLS\nemployees, deletion of inactive user accounts not used within the last 30 days (after confirming an\naccount is not needed), and an annual review of user accounts by network administrators.\n\nTo determine if the review process was working, we obtained a list of employees who separated from\nBLS during the period January 2 through June 19, 2000, and compared it to active NT and UNIX user\naccounts. We were told that the UNIX servers are not centralized and each individual server has its\nown accounts and passwords. Because of time restraints, we did not request a complete list of active\nUNIX accounts. Instead, BLS provided to us a list of active user accounts for approximately 75\npercent of the UNIX servers using special software to compile user data.\n\nWe found no exceptions in our comparison of separated BLS employees to active NT user accounts.\nHowever, we found two separated employees still had active UNIX user accounts.\n\nBLS is currently creating a \xe2\x80\x9cmeta-directory\xe2\x80\x9d that will enable them to access centralized user data from\nall of their UNIX servers.\n\nAction Needed to Close the Recommendation\n\nBLS must complete the \xe2\x80\x9cmeta-directory\xe2\x80\x9d and begin testing their UNIX servers to ensure that user\naccounts for separated employees are deleted.\n\nBLS Response\n\nBLS will inform us when the \xe2\x80\x98meta-directory\xe2\x80\x99 is completed and central monitoring of UNIX accounts is\nunder way.\n\nOIG Conclusion\n\nThis recommendation remains open.\n\n\nU.S. Department of Labor - Office of Inspector General Page 6\n\x0cBLS Data Security Followup Audit\n\n\nUser Password Strength Needs to be Improved\n\nWe performed additional access control tests to check the strength of user passwords on a Windows\nNT server and a UNIX server. To accomplish this, we used password auditing software to examine\napproximately 180 user passwords on the NT server and 100 user passwords on the UNIX server.\nNo exceptions were found on the NT server; however, we were able to crack one password\nimmediately on the UNIX server because the password was identical to the username. We were told\nthat the employee no longer worked for BLS and an administrator had set up the account but it was\nnever used. The account should have been deleted.\n\nThe BLS Security Officer told us that because user account data is not centralized within the UNIX\nenvironment, it is difficult to run this type of test on each individual server. However, BLS is\nconsidering using a program that will allow them to test user password strength from all their UNIX\nservers, and they could run a centralized test with this.\n\nRecommendation\n\nWe recommend that BLS implement a program to periodically use password auditing software to test\nthe strength of UNIX user passwords.\n\nBLS Response\n\nBLS responded that they will begin testing user password strength on all UNIX accounts in the near\nfuture.\n\nOIG Recommendation\n\nThis recommendation is resolved; but remains open.\n\nAttachment\n\n\n\n\nU.S. Department of Labor - Office of Inspector General Page 7\n\x0c'